Automated Updating#

Setting the flag "daily_check_and_auto_update_on_idle" to true in prefs.XML of CrushFTP v11.2.3_19+ will do automated daily checks and updates.

Update Bug on Windows#

Some versions of CrushFTP had a problem applying an update automatically. They would fail to rename ".jar" files on Windows operating systems. They would instead leave behind ".jar_tmp" files needing the "_tmp" manually removed from them. This has been fixed for a while, but if you are still on one of these older builds, you will be affected the next time you attempt the update. So you need to fix the jar filenames one time manually. Example: CrushFTP.jar_tmp -> CrushFTP.jar. Same for all other jars in plugins, plugins/lib folder, and the WebInterface folder has CrushTunnel.jar. Do all 3 locations entirely.

Vulnerability Info#

November 11th, 2024 - (CVE-2024-53552 - CREDIT: Stratascale Cyber Research Unit)
V10 versions below 10.8.3 and V11 versions below 11.2.3 are vulnerable to a password reset email exploit. If an end user clicks the link, their account is compromised.
Once you update you must configure your allowed email reset URL domains.
v10:Preferences, WebInterface, MiniURL: Set an allowed list of domains, comma separated.
v11:Preferneces, WebInterface, Login Page: Set a domain pattern that is not just '*' as a '*' is no longer allowed.

October 10, 2024 - (CVE-2024-11986 credit European Commission, Application Security Testing Services)
XSS bug fixed in CrushFTP 10.8.2 and 11.2.1.
April 19th, 2024 - (CVE-2024-4040)
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a DMZ in front of their main CrushFTP instance are partially protected with its protocol translation system it utilizes. A DMZ however does not fully protect you and you must update immediately. (CREDIT:Simon Garrelou, of Airbus CERT)


FAQ:#

•If I'm on v10.8.3+...do I need to upgrade to v11? No, 10.8.3+ are safe.
•If I'm on v10.6.1, or v10.3, or v10.5.5, am I vulnerable? Yes! Update immediately to 10.8.3+ or v11.2.3+.



Updating CrushFTP v11#

How to update CrushFTP within the same major version number:#

1.) Login to the dashboard using your "crushadmin" equivalent user in the WebInterface.
2.) Click on the about tab.
3.) Click Update, Update Now.
4.) Wait roughly 5 minutes for the files to download, unzip, and be copied in place. CrushFTP will auto restart once done.
5.) Finished.



Installing an offline update when the server cannot reach our server over the internet directly:#

1.) Download CrushFTP11.zip from our download page. (https://www.crushftp.com/early11/CrushFTP11.zip)
2.) Give it the specific name `CrushFTP11_new.zip` and place this in the CrushFTP main folder. (Same location where you have your CrushFTP.jar file)
3.) See above normal instructions as Crush will use your local offline zip file.


Fully manual offline update:#

In some rare scenarios when neither of the above methods work, like file permissions prevent consuming the update file or overwriting the necessary components by the updater. In such case: 1.) Download CrushFTP11.zip from our download page. (https://www.crushftp.com/early11/CrushFTP11.zip)
2.) Unzip it to a temporary directory
3.) Stop the CrushFTP service 4.) Copy over the installation the full content or just the CrushFTP.jar file and the plugins and WebInterface subdirectories as these are. Overwrite all when prompted.
5.) Start the Crush service. Once back on line, clear the browser cache or check with an incognito/private browser session.



How to restore a backup in the event of some issue or regression in functionality:#

(CrushFTP automatically creates a backup of its core files in the CrushFTP folder, backup folder.)
1.) Restore the CrushFTP.jar file.
2.) Restore the plugins folder.
3.) Restore the WebInterface folder...mainly the CrushTunnel.jar file from inside it.


Changelog: https://www.crushftp.com/version11_build.html
#



Updating an old CrushFTP v10,v9 and prior#

You must upgrade: CrushFTPUpgrade
You need a v11 license code first! If you are an enterprise customer, contact us for your code. Its free if your maintenance is current.


All prior versions of CrushFTP were also affected by this most recent vulnerability.
CrushFTP v10 info: https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
minor_update.jpg 356.6 kB 1 05-Dec-2023 05:32 Ada Csaba
« This page (revision-51) was last changed on 27-Jan-2025 09:43 by Ben Spink
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
LeftMenu

JSPWiki